AWS Route 53

From Indie IT Wiki

SPF Verification

SPF hard fail example...

v=spf1 ip4:192.168.0.1 -all

In the above example the minus "-" in front of "all" means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address 192.168.0.1 is authorized to send emails.

SPF soft fail example...

v=spf1 include:amazonses.com ~all

In the above example the tilde "~" in front of "all" means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the include:spf.protection.outook.com authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers.

DKIM Verification

https://aws.amazon.com/premiumsupport/knowledge-center/route53-resolve-dkim-text-record-error/

https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf

Command Line

cli53

There is an unofficial, well maintained command line app called cli53.

cli53 provides import and export from BIND format and simple command line management of Route 53 domains.

Features:

  • import and export BIND format
  • create, delete and list hosted zones
  • create, delete and update individual records
  • create AWS extensions: failover, geolocation, latency, weighted and ALIAS records
  • create, delete and use reusable delegation sets

Latest version: 0.8.22 (24 FEB 2023)

https://github.com/barnybug/cli53/releases/latest

Install software...

wget -O cli53 https://github.com/barnybug/cli53/releases/download/0.8.22/cli53-linux-amd64
sudo install -m 755 ./cli53 /usr/local/bin/cli53

Configure...

To configure your Amazon credentials, either place them in a file ~/.aws/credentials:

[default] aws_access_key_id = AKID1234567890 aws_secret_access_key = MY-SECRET-KEY

Export Zone File As TXT

List domain name zones...

cli53 list --profile default

Export domain name zone...

cli53 export --full --profile default domain.co.uk

Adding Zones

cli53 create example.com --comment 'my first zone'

Adding Records

A record...

cli53 rrcreate example.com 'www 60 A 123.456.789.0'
cli53 rrcreate example.com 'mail1 60 A 123.456.789.0' 'mail2 60 A 123.456.789.0'

MX record...

cli53 rrcreate example.com '@ MX 10 mail1.' '@ MX 20 mail2.'

A record using specific AWS profile...

cli53 rrcreate --profile profilename example.com 'www 60 A 123.456.789.0'

CNAME record using specific profile. For CNAME records, relative domains have no trailing dot, but absolute domains should...

cli53 rrcreate --profile profilename example.com 'host CNAME data'
cli53 rrcreate --profile profilename example.com 'host CNAME anotherhost.domain.com.'

Adding multiple records ...

cli53 rrcreate example.com '@ 60 A 123.456.789.0' 'www 60 A 123.456.789.0'

Editing Records

cli53 rrcreate --replace example.com 'www 60 A 123.456.789.0'
cli53 rrcreate --replace example.com '@ 60 A 123.456.789.0' 'www 60 A 123.456.789.0'

Deleting Records

cli53 rrdelete example.com www A
cli53 rrdelete example.com @ MX

Redirect Domain Using S3

https://aws.amazon.com/premiumsupport/knowledge-center/redirect-domain-route-53/

Route 53 Hosted Zone -> A Record ALIAS -> S3 Bucket Endpoint -> Static Website Hosting -> Redirect Requests -> Domain

Make sure you create a bucket with the same subdomain as well.

e.g.

domain.co.uk -> bucket with exact same name
www.domain.co.uk -> bucket with exact same name

Thanks - http://www.holovaty.com/writing/aws-domain-redirection/

Use GANDI Free Email Forwarding

The domain registrar, gandi, provides 2 free e-mail addresses per domain, and unlimited forwarding accounts.

While your domain may be hosted on AWS (using aws nameservers), you can update the dns configuration to point to gandi's mail servers, and setup and manage all your domain name e-mail addresses from gandi's console.

This is managed in you aws console under Route53, Hosted Zones. You'll then want to create two record sets for the domain as follows:

Type	Alias	TTL	Value                                         Routing Policy
MX	No	10800	10 spool.mail.gandi.net.                      Simple
MX	No	10800	50 fb.mail.gandi.net.                         Simple
TXT	No	10800	"v=spf1 include:_mailcust.gandi.net ?all"     Simple

https://dev.to/peterdenham/personal-domain-e-mail-on-aws-with-gandi-4ofl